doc/user/content/security/cloud/access-control/_index.md
{{< annotation type="Disambiguation" >}} {{% include-headless "/headless/rbac-cloud/rbac-intro-disambiguation-cloud" %}}
This section focuses on the database access control. For information on organization roles, see Users and service accounts. {{</ annotation >}}
In Materialize, role-based access control (RBAC) governs access to database objects through privileges granted to database roles.
{{% include-headless "/headless/rbac-cloud/db-roles" %}}
{{% include-headless "/headless/rbac-cloud/db-roles-managing-privileges" %}}
{{< annotation type="Disambiguation" >}} {{% include-headless "/headless/rbac-cloud/grant-vs-alter-default-privilege" %}} {{</ annotation >}}
{{% include-headless "/headless/rbac-cloud/db-roles-initial-privileges" %}}
You can modify the privileges of your organization's PUBLIC role as well as
the modify default privileges for PUBLIC.
In Materialize, when you grant a role to another role (user role/service account role/independent role), the target role inherits privileges through the granted role.
In general, to grant a user or service account privileges, create roles with the desired privileges and grant these roles to the database role associated with the user/service account email/name. Although you can grant privileges directly to the associated roles, using separate, reusable roles is recommended for better access management.
With privilege inheritance, you can compose more complex roles by combining existing roles, enabling modular access control. However:
{{% yaml-sections data="rbac/recommendations-cloud" heading-field="recommendation" heading-level=3 %}}